GRC audits, audit observations and remediation tasks - Legacy

An audit definition establishes a set process for validating controls and control tests. From the definition, audit instances can be generated as a task to power the audit. During the audit process, audit observations can be recorded by the auditor to track the gathered information. The auditors can use these observations to create remediation tasks.

Once generated, audit instances can reference any existing evidence of compliance by associating previously executed control tests with the control test definitions that have been established in the audit.

During the audit process, an administrator can create and assign remediation tasks that need to be performed before and during an audit. In addition, audit requirements associate citations to the audit, allowing auditors to track compliance or non-compliance with the original regulations.

If the latest evidence is not recent enough, click Execute Now in the Control Test Definition form to execute a control test instance. This action creates the control test instance and automatically associates it to the audit. The control test instance record also has the Generate from audit field populated with the audit number, so that it is clear that the test was created from an audit and not manually.

The following diagram illustrates the process of managing an audit with IT Governance, Risk and Compliance:

Figure 1. GRC audit process